| 17. | If, in accordance with paragraph 16(a), the user auditor plans to use a type 2 report as audit evidence that controls at the service organization are operating effectively, the user auditor shall determine whether the service auditor's report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor's risk assessment by: |
| (a) | Evaluating whether the description, design and operating effectiveness of controls at the service organization is at a date or for a period that is appropriate for the user auditor's purposes; |
| (b) | Determining whether complementary user entity controls identified by the service organization are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness; |
| (c) | Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; and |
| (d) | Evaluating whether the tests of controls performed by the service auditor and the results thereof, as described in the service auditor's report, are relevant to the assertions in the user entity's financial statements and provide sufficient appropriate audit evidence to support the user auditor's risk assessment. (Ref: Para. A31-A39) |
|
|
Licence and copyright | © 2018, LexisNexis Group a division of Reed Elsevier (UK) Ltd. All rights reserved. |